Google and Apple's push for shorter certificate lifecycles: what to expect before the transition
Google and Apple are driving a pivotal change in public SSL/TLS certificate lifecycles, proposing a reduction from the current maximum of one year to just 47 days. This shift, backed and sponsored by Sectigo, aims to enhance security through more frequent updates, but it also introduces challenges for businesses, developers, and IT teams that depend on these certificates. Understanding the roadmap from these proposals to the enforcement of 47-day certificate lifecycles is crucial for organizations to adapt effectively.
Shortening certificates: not a new trend
Public SSL / TLS certificates have traditionally had much longer lifecycles, with the current maximum set at 398 days. However, the new proposal outlines a gradual reduction in the maximum certificate term, culminating in a 47-day limit by 2028. This reduction reflects a broader trend, championed by major browsers like Google and Apple, advocating shorter lifespans to improve security. Additionally, the proposal includes a corresponding decrease in the Domain Control Validation (DCV) reuse period, which will drop to just 10 days by 2028.
While still in the discussion phase, the plan differs from Google’s 90-day validity proposal and instead proposes maximum certificate terms of 200 days in 2026, 100 days in 2027, and 47 days in 2028. This approach highlights the industry's push for automated certificate lifecycle management to cope with the increasing frequency of renewals efficiently.
Industry preparation and strategy adjustments
As the effective dates approach, organizations will need to take proactive steps:
- Automation implementation: Automating certificate renewals is essential. With shorter certificate lifespans, manual management becomes impractical and risky. Enterprises will be advised to adopt automation solutions that handle certificate issuance and renewal, reducing the chances of service interruptions and outages.
- Subscription models and pricing adjustments: Certificate providers, like Sectigo, will likely introduce new subscription models that align with the 47-day cycle. Customers will be encouraged to buy certificates in multi-year packages, allowing automated renewals without constant manual intervention. This will ensure businesses are not unfairly disadvantaged financially for needing to increase their certificate usage, and provide a simpler process for managing certificates regardless of the size of the organization.
Dealing with transitional certificates
As the enforcement date draws near, companies may opt to strategically time the purchase of longer-duration certificates just before the new rule takes effect. For example, if a final cutoff for 1 year certificates is set for late 2026, organizations might rush to buy one-year certificates before then, delaying the need to comply with the shortened lifecycle for another year. While this may provide temporary relief, any revocation or reissuance during this period will still be subject to the new 47-day rule, so it is strongly encouraged to onboard new processes and embrace Certificate Lifecycle Management tools and automation earlier than the deadline.
After all, if Google and Apple are giving countdowns to their deadline proposals, it is likely to be that most businesses will need time to bring on new tools and programs and ensure training and decision-making is managed well-ahead of a ticking countdown.
Final transition and ongoing recommendations
Once the 47-day cycle is in full effect, companies will be advised to follow best practices, like renewing every month rather than strictly every 47-days. This reduces the risk of unexpected issues and fits more seamlessly into typical IT workflows. The industry will likely shift toward consistent, automated systems where certificates are continuously renewed without manual intervention.
This “set it and forget it” renewal process also ensures that the 47-day cycle doesn’t land on holiday periods. For example, if renewals are set for the 1st of every second month, this follows current protocols of starting the renewal process 30 days ahead of the expiry as well as ensures that the renewal doesn’t land over Christmas holidays when often people are on leave for extended periods of time.
Prepare now, stay secure
47-day certificates are not just a technical update – they're a major industry shift that demands careful planning and adaptation. By understanding the steps from proposal to implementation, organizations can stay ahead of the curve, ensuring smooth operations and robust security as these changes roll out.
Whether it’s through automation, adjusted pricing models, or strategic communication, those who prepare early will be well-positioned to thrive in the new era of digital certificate management.